Description
A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a misconfiguration where this permission is equivalent to `manage-permissions`. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within the realm. This privilege escalation can occur when admin permissions are enabled at the realm level.
Published: 2026-03-26
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

A misconfiguration in Keycloak’s role mapping logic allows an administrator who has the manage‑clients permission to inadvertently have the same level of access as those with manage‑permissions. This flaw gives the privileged user the ability to modify roles, change user permissions, and execute other administrative functions within the realm, effectively elevating their privileges. Identified as CWE‑266, the vulnerability represents an elevation of privilege weakness that can be used to subvert the security model of the realm without requiring additional exploitation steps.

Affected Systems

The flaw impacts several Red Hat‑sponsored products that include Keycloak 26.4 (also specifically 26.4.11), Red Hat JBoss Enterprise Application Platform 8, the JBoss Enterprise Application Platform Expansion Pack, and Red Hat Single Sign‑On 7. These builds run on Red Hat Enterprise Linux 9 or earlier releases; any installation of the listed versions hosts the vulnerable role‑mapping logic unless the relevant security updates are applied.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium‑to‑high severity vulnerability. EPSS is less than 1 %, reflecting a very low probability of exploitation at the time of analysis. The vulnerability is not listed in CISA’s KEV catalogue. The attack requires an existing realm‑level administrator who has been granted the manage‑clients permission; no external network or service exploitation is documented, so the threat is limited to environments where such permissions are misconfigured. If exploited, the attacker gains the ability to remodel the realm’s permission structure, potentially taking over user accounts and adjusting security settings.

Generated by OpenCVE AI on April 15, 2026 at 22:37 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

OpenCVE Recommended Actions

  • Apply the Red Hat security updates RHSA‑2026:6477 or RHSA‑2026:6478, which patch the Keycloak role‑mapping logic to separate manage‑clients from manage‑permissions.
  • Revoke the manage‑clients role from any user who does not also require full permission‑modification rights, or reconfigure the role assignment to avoid implicit elevation to manage‑permissions.
  • Audit all realm‑level administrator accounts and restrict unnecessary administrator privileges, ensuring that only users with genuine operational need retain management rights.

Generated by OpenCVE AI on April 15, 2026 at 22:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7xf9-4jfc-wgm4 Keycloak: manage-clients permission escalates to full realm admin access
History

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak: cpe:/a:redhat:build_keycloak:26.4::el9
References

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
Redhat jboss Enterprise Application Platform Expansion Pack
Redhat single Sign-on
CPEs cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:-:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:8.0.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform_expansion_pack:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*
Vendors & Products Redhat build Of Keycloak
Redhat jboss Enterprise Application Platform Expansion Pack
Redhat single Sign-on

Mon, 30 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE. A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a misconfiguration where this permission is equivalent to `manage-permissions`. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within the realm. This privilege escalation can occur when admin permissions are enabled at the realm level.
Title keycloak: org.keycloak/keycloak-services: Keycloak: Privilege escalation via manage-clients permission Keycloak: org.keycloak/keycloak-services: keycloak: privilege escalation via manage-clients permission
First Time appeared Redhat
Redhat build Keycloak
Redhat jboss Enterprise Application Platform
Redhat jbosseapxp
Redhat red Hat Single Sign On
CPEs cpe:/a:redhat:build_keycloak:
cpe:/a:redhat:jboss_enterprise_application_platform:8
cpe:/a:redhat:jbosseapxp
cpe:/a:redhat:red_hat_single_sign_on:7
Vendors & Products Redhat
Redhat build Keycloak
Redhat jboss Enterprise Application Platform
Redhat jbosseapxp
Redhat red Hat Single Sign On
References

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Keycloak
Keycloak keycloak
Vendors & Products Keycloak
Keycloak keycloak

Wed, 25 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE.
Title keycloak: org.keycloak/keycloak-services: Keycloak: Privilege escalation via manage-clients permission
Weaknesses CWE-266
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}

threat_severity

Moderate

Subscriptions

Keycloak Keycloak
Redhat Build Keycloak Build Of Keycloak Jboss Enterprise Application Platform Jboss Enterprise Application Platform Expansion Pack Jbosseapxp Red Hat Single Sign On Single Sign-on
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-02T16:39:35.672Z

Reserved: 2026-02-24T13:09:39.644Z

Link: CVE-2026-3121

cve-icon Vulnrichment

Updated: 2026-03-30T13:58:50.365Z

cve-icon NVD

Status : Modified

Published: 2026-03-26T19:17:06.213

Modified: 2026-04-02T14:16:31.713

Link: CVE-2026-3121

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-24T11:11:00Z

Links: CVE-2026-3121 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T22:45:16Z

Weaknesses